Hotel Management Company Becomes Repeat Breach Victim

A hotel management group has confirmed payment-card breaches in 10 of its hotels, just months before the affected point-of-sale (POS) systems were scheduled to be converted to tokenization — which might have blocked the breaches.

White Lodging Services, which operates 174 hotel properties, said last week that malware was found on POS systems in restaurants and lounges at nine Marriott-branded hotels and one Sheraton-branded hotel. The company hired a security firm to investigate after a credit union notified it on Jan. 27, 2015, of suspicious activity on payment cards used at the hotels.

The compromised card data “is believed to be limited to names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates,” the company said. It’s also believed to be limited to cards swiped at the food and beverage establishments in the hotels. Customers who ordered room service, charged food and drinks to their room numbers or didn’t visit the restaurants and bars are believed not to be affected by the breaches, which appear to have been skimming card data between July 3, 2014, and Feb. 6, 2015.

That means the seven-month breach began less than half a year after a similar incident surfaced in January 2014. That breach apparently started in March 2013, Krebs on Security reported at the time.

“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services. These security measures were unable to stop the current malware occurrence on point-of-sale systems at food and beverage outlets in 10 hotels that we manage,” White Lodging president Dave Sibley said last week in a prepared statement. “We deeply regret and apologize for this situation.”

White Lodging said it operates the hotels for their owners, and is separate from both the owners and the hotel brands. That’s part of the reason only the food and drink establishments — where POS systems were run by White Lodging — were affected. For example, in the nine Marriott-branded hotels affected by the latest breach, franchise agreements require that Marriott’s own property management system must be used. Those Marriott systems have already implemented tokenization to improve security.

But the POS terminals in the hotels’ restaurants, bars and gift shops “are transitioning to tokenization and are scheduled to be fully tokenized by the end of the second quarter,” a White Lodging spokesperson said in February.